Basware Holdings Limited

Basware Invoice Processing

An Account Payable and Invoice Approval package delivering efficiencies and greater financial control for processing invoices, whether requiring approval retrospectively or matching to a purchase order. It combines industry-leading workflow, accommodating complex invoice processing rules, with Amazon-like user experiences for approvers. The solution extends to basic Procurement and Expense management.


  • Invoice approval to accommodate any invoice approval process
  • Simple to use invoice approval on mobile devices
  • Collaboration feature between AP/finance and invoice approvers
  • Full reporting suite to give complete visibility
  • Delegation of authorities followed on approval process
  • Integration with ERP system for suppliers and business data
  • Pass invoices to ERP as ready to pay through integration
  • Connect to Basware eInvoice to process any invoice digitally
  • Match to PO's from Basware P2P or other systems
  • Comprehensive audit capture and reporting


  • Dramatic efficiency improvements in AP/Finance
  • Easy adoption of invoice approval through high ease of use
  • Financial control through applying delegation of authorities
  • Financial control through budget visibility at invoice approval
  • Flexibility to handle complex invoice approval processes
  • Digitise any invoice format when used with Basware eInvoice
  • Full visibility of all invoices in progress
  • Seamless integration into ERP/finance system
  • Improved efficiency through collaboration funcitonality


£2.02 per unit

Service documents

G-Cloud 9


Basware Holdings Limited

Paul Clayton

0845 603 2885

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Basware eInvoice
Basware Marketplace
Basware Pay
Cloud deployment model Private cloud
Service constraints We operate a rolling maintenance programme, scheduled specifically agreed with the customer upon commencement of the service to deliver system maintenance that meets their requirements. It is designed to protect the live computing environment through the use of formal processes and procedures and to facilitate software and possibly hardware releases into the managed IT environment. The release programme is currently based upon a monthly timescales, but is moving to quarterly releases. The timing and activities of the planned maintenance will be in accordance with the schedule unless otherwise specifically agreed and will be carried out during non-core hours.
System requirements
  • OSx - Workplace Firefox Latest, Safari 5 or later
  • Desktop Client Microsoft Silverlight 5.0 or later
  • Browsers IE9 or later
  • Edge IE10 or later, Firefox and Chrome latest versions
  • Handheld IOS 7.0 Windows Phone 8.1 Android 4.3 or later

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Response time within 1 hour Mon-Fri Excluding Bank Holidays
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support No
Support levels Basware Global Support model is aligned with ITIL (IT Infrastructure Library). Support is available during local business hours.24/7 support can be provided as an option.

The Service Desk provides advice and assistance about:
• Operational use and service requests related to the software or service
• Suspected incidents and problems This is underpinned by Service Level agreements.There are 3 levels of support designed for different types of organisation, with SaaS 2 offered as the service level for G-Cloud customers. Key elements of the service such as service updates, data security, Single Sign On, Maintenance, Business Continuity and Disater Recovery are commonly covered.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Rapid delivery of value for our customers is a key element of the Basware offering and the on-baording of both users and suppliers will be key. The implementation of the Basware solution will identify what are the key deliverables for the organisation and then focus the implementation on achieving these aims. Rapid design and build of the solution will then lead on to ensuring users both finance/AP and operational can be onboarded as effortlessly and quickly as possible. Training approaches will be dependent on the needs of each customer, but train the trainer and training doucmentaton are always utilised during the implementation. Supplier on-boarding should not be ignored and the Basware invoice processing solution, when used with Basware einvoice will allow suppliers many options for submitting invoices to our customers, thus ensuring that suppliers are onboarded quickly and with minimal resources.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction As it is an entirely managed service it is simply a matter of ceasing access to the service and ensuring that all client owned information is returned to them. This is part of the service provided. If the service is terminated then all business documents and associated metadata held within the Customer's systems can be exported using the application's export functionality by the Customer. Metadata will be in human readable format.
End-of-contract process On completion of the call off, we can simply cease the services and the processes for doing so are clearly articulated within the arrangement. As it is an entirely managed service it is simply a matter of ceasing access to the service and ensuring that all client owned information is returned to them. All confidentialities relating to the services are maintained indefinitely as part of the arrangement

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Users require to log on separately when using a mobile device. Otherwise services are optimised for use on mobile devices.
Accessibility standards WCAG 2.0 A
Accessibility testing Basware has carried out testing with external users of assistive technology.
Customisation available No


Independence of resources The hosted service works in such a way that it has no capacity issues in respect of the content and transactions managed within the service. The hosted network is running at approximately 20% capacity at peak times, accommodating even the largest spikes in traffic. As network utilisation reaches 30% more network capacity will be added to ensure that customers never experience network degradation, even if one of the providers has an outage. Current bandwidth capacity is 6.3 Gbps.
The environment is proactively supported by a 24/7/365 dedicated support team ensuring it is not affected by the demands of other customers.


Service usage metrics Yes
Metrics types Operational Metrics - AP KPI – Overview dashboard provides information on 4 strategic key performance indicators (KPI):
E-invoice Rate – indicates the % of all invoices which are electronic
Spend under control – invoices based on PO or payment plan (Contract)
Automatically matched
Paid on time – % of invoices which are paid on or before the designated due date.
Performance trend - The dashboard also has the trend of each specific strategic KPI as well as the breakdown of each strategic KPI in bar charts
Reporting types Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach The service can be scheduled to export data and image files on a regular basis. Documents can be bulk uploaded in XLS, XML and CSV formats. Basware can support virtually any structured data format.
The service will export individual transactions either grouped into a batch or as separate invoice sets (content, image & attachments). The latter is the more common method of transfer.
These can be Zipped and signed as required.
Data export formats
  • CSV
  • Other
Other data export formats XML
Data import formats
  • CSV
  • Other
Other data import formats XML

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability Basware consistently operate the Basware service to meet a target level of 99.9% of time during a combination of core and non-core hours (97.5% during the first month of service or following a major release). Further information included in Service Definition document.

This is underpinned by our SAAS SLA providing 99%/99.5% availability during core working hours.
Approach to resilience This information is available on request.
Outage reporting Outages would be reported via email alerts. Scheduled Maintenance Windows Scheduled maintenance windows are required to allow for security updates, application upgrades and patching, addition of new hardware, etc. Basware reserves the right to specify the times of scheduled maintenance windows which will be targeted to be outside the hosting location's typical business working hours in order to keep the service interruption time for endusers close to zero. The scheduled maintenance windows may take place with 5 days notice. A maximum of two maintenance windows will be used in any month. During the maintenance window users will be informed of the unavailability of the service. For SaaS Three Customers only the notice period is extended to 10 days. Basware Analytics maintenance may take place with 5 days notice. A maximum of two maintenance windows will be used in any month. During the maintenance window users will be informed of the unavailability of the service.
Unscheduled Maintenance Windows: If unscheduled maintenance windows are required then 48 hours notice will be provided. If emergency repairs or updates are required, for example to apply security patches, then if the urgency is low enough 24 hours notice will be provided.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels Basware systems are regulated by an approved access control system to control a user’s session prior to passing control to separate application software. The information systems access privileges of users must be defined based on their officially assigned roles.
Formal procedures are in place to control the allocation of access rights to information systems and services. The procedures cover all stages in the life-cycle of user access. Special attention is given to control the allocation of privileged access rights. There is a formal user registration and de-registration procedure for granting and revoking access to all information systems and services.
Access restriction testing frequency At least once a year
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards Other
Other security governance standards ISAE-3402
Information security policies and processes Basware Information Security Policy describes the practices through which Basware assures its existing and future customers, partners and employees that their information is securely handled, stored and processed.
The Information Security Policy target is to comply with the ISO 27001 standards. The minimum target is to comply at all times with the local legal requirements.
Within the organisation, the Chief Financial Officer is responsible for the main policies concerning security, for its strategic steering and monitoring, and for the allocation of sufficient resources. In addition, Security Steering Group coordinates the overall security. Security Steering Group is chaired by the CFO.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach The Basware solution has been built to be managed by our customers and configuration changes would typically be carried out by the customer organisation. Basware's software as a service offering does not work on the approach that our customers are buying services from us for configuration changes. If Basware is required to make changes then a formal and documented change management process must be followed. Configuration changes are documented as change request tickets. Configuration changes are implemented only after authorisation by Basware. Application changes are tested in a QA environment and signed off before deployment to production.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Systems are scanned for vulnerabilities at regular intervals. Customer production systems are scanned weekly. Customer and internal IT production systems are scanned internally with privileged system credentials for:
Hard-to-find vulnerabilities and configuration errors, Installed software patches, and System configuration compliance against applicable benchmark standards.
Risks are recorded in a risk register. The risk assessment includes business impact assessment, threat assessment, and vulnerability assessment. Risk management includes risk mitigation actions, risk avoidance, risk transfer, and risk acceptance in full or in part. Risk mitigation may include preventive, reactive, and corrective actions. Reactive and corrective actions are triggered by risk realisation.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach If production systems and business applications generate security events, for example both successful and failed instances of:
User logon and logoff, changes in privileges, such as user and access management, software changes and removal, system and application configuration changes, and significant system events.
Create, read, update, and delete access on customer data is monitored. Exceptional access (outside of standard data flow) generates security events.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Production environments are monitored for incidents and failures and incident tickets are opened for anomalies. Monitoring includes internal and external performance. Production environment activity is monitored by reviewing most common system and application log events in weekly meetings. Event logs are collected and stored.
A service level agreement (SLA) for service availability and performance is in place. Performance against the SLA is monitored and measured.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £2.02 per unit
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑